General

  • Target

    JaffaCakes118_4abc4e174beea2d801bab1f52a202a1adcdc372443e25a2f1875b90f112ff56d

  • Size

    221.1MB

  • Sample

    241224-vdwynsskdw

  • MD5

    0c1df79aedd19bad104f962cfa9495a2

  • SHA1

    62f9b3c0e8d3f29663c2bafde2602d7cda044fcc

  • SHA256

    4abc4e174beea2d801bab1f52a202a1adcdc372443e25a2f1875b90f112ff56d

  • SHA512

    b1f89e94914584186da5f6cd2755b35c134402f66f1c0d6dea22feafe84fe5b96f6e46460edce3c1c5a8ce0d0f766f6921b8c196e97172fcdbeeb0057b6f36db

  • SSDEEP

    3145728:rdm8ZSmWUMbGIngwOqslykYmO6PCtzCtFRU/mvL91UppmkSKmfLeUuO5jPOL0aj0:fSmhMbGqylyzs/imvL91UYLfLd1PHp

Malware Config

Extracted

Family

cobaltstrike

Botnet

305419896

C2

http://47.91.237.42:8443/__utm.gif

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    47.91.237.42,/__utm.gif

  • http_header1

    AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • polling_time

    60000

  • port_number

    8443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDS7zRQv7EhhTkbgDrCNBsNay7lzQFmcC/GWwjOq93nKwPSszjIKgtW8nwhtoRhr6MFZx4DSYFdeuJDrtJNcTZz2C/LgZzhSQJmhiEqCkVqPPCfK1C6S4PzDrzy9L794rPLOuoewlGAXgiH5/Ae2aC5k2wedRNfes3DJZDDCaJJYwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /submit.php

  • user_agent

    Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0)

  • watermark

    305419896

Extracted

Family

zloader

Botnet

main

Campaign

26.02.2020

C2

https://airnaa.org/sound.php

https://banog.org/sound.php

https://rayonch.org/sound.php

Attributes
  • build_id

    19

rc4.plain

Extracted

Family

revengerat

Botnet

XDSDDD

C2

84.91.119.105:333

Mutex

RV_MUTEX-wtZlNApdygPh

Extracted

Family

revengerat

Botnet

Victime

C2

cocohack.dtdns.net:84

Mutex

RV_MUTEX-OKuSAtYBxGgZHx

Extracted

Family

zloader

Botnet

25/03

C2

https://wgyvjbse.pw/milagrecf.php

https://botiq.xyz/milagrecf.php

Attributes
  • build_id

    103

rc4.plain

Extracted

Family

revengerat

Botnet

samay

C2

shnf-47787.portmap.io:47787

Mutex

RV_MUTEX

Extracted

Family

zloader

Botnet

09/04

C2

https://eoieowo.casa/wp-config.php

https://dcgljuzrb.pw/wp-config.php

Attributes
  • build_id

    140

rc4.plain

Extracted

Family

zloader

Botnet

07/04

C2

https://xyajbocpggsr.site/wp-config.php

https://ooygvpxrb.pw/wp-config.php

Attributes
  • build_id

    131

rc4.plain

Extracted

Family

revengerat

Botnet

INSERT-COIN

C2

3.tcp.ngrok.io:24041

Mutex

RV_MUTEX

Extracted

Family

revengerat

Botnet

YT

C2

yukselofficial.duckdns.org:5552

Mutex

RV_MUTEX-WlgZblRvZwfRtNH

Extracted

Family

revengerat

Botnet

system

C2

yj233.e1.luyouxia.net:20645

Mutex

RV_MUTEX-GeVqDyMpzZJHO

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

srpmx.ddns.net:5552

Mutex

c6c84eeabbf10b049aa4efdb90558a88

Attributes
  • reg_key

    c6c84eeabbf10b049aa4efdb90558a88

  • splitter

    |'|'|

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

njrat

Version

0.7d

Botnet

HACK

C2

43.229.151.64:5552

Mutex

6825da1e045502b22d4b02d4028214ab

Attributes
  • reg_key

    6825da1e045502b22d4b02d4028214ab

  • splitter

    Y262SUCZ4UJJ

Extracted

Family

zloader

Botnet

googleaktualizacija

Campaign

googleaktualizacija1

C2

https://iqowijsdakm.ru/gate.php

https://wiewjdmkfjn.ru/gate.php

https://dksaoidiakjd.su/gate.php

https://iweuiqjdakjd.su/gate.php

https://yuidskadjna.su/gate.php

https://olksmadnbdj.su/gate.php

https://odsakmdfnbs.com/gate.php

https://odsakjmdnhsaj.com/gate.php

https://odjdnhsaj.com/gate.php

https://odoishsaj.com/gate.php

Attributes
  • build_id

    155

rc4.plain
rsa_pubkey.plain

Extracted

Family

formbook

Version

4.0

Campaign

w9z

Decoy

crazzysex.com

hanferd.com

gteesrd.com

bayfrontbabyplace.com

jicuiquan.net

relationshiplink.net

ohchacyberphoto.com

kauegimenes.com

powerful-seldom.com

ketotoken.com

make-money-online-success.com

redgoldcollection.com

hannan-football.com

hamptondc.com

vllii.com

aa8520.com

platform35markethall.com

larozeimmo.com

oligopoly.net

llhak.info

Extracted

Family

gozi

Attributes
  • build

    300869

  • exe_type

    loader

Extracted

Family

gozi

Botnet

86920224

C2

https://sibelikinciel.xyz

Attributes
  • build

    300869

  • exe_type

    loader

  • server_id

    12

  • url_path

    index.htm

rsa_pubkey.plain
serpent.plain

Extracted

Family

qakbot

Version

324.141

Botnet

spx129

Campaign

1590734339

C2

94.10.81.239:443

94.52.160.116:443

67.0.74.119:443

175.137.136.79:443

73.232.165.200:995

79.119.67.149:443

62.38.111.70:2222

108.58.9.238:993

216.110.249.252:2222

67.209.195.198:3389

84.247.55.190:443

96.37.137.42:443

94.176.220.76:2222

173.245.152.231:443

96.227.122.123:443

188.192.75.8:995

24.229.245.124:995

71.163.225.75:443

75.71.77.59:443

104.36.135.227:443

Extracted

Family

formbook

Version

4.1

Campaign

app

Decoy

niresandcard.com

bonusscommesseonline.com

mezhyhirya.com

paklfz.com

bespokewomensuits.com

smarteralarm.info

munespansiyon.com

pmtradehouse.com

hotmobile-uk.com

ntdao.com

zohariaz.com

www145123.com

oceanstateofstyle.com

palermofelicissima.info

yourkinas.com

pthwheel.net

vfmagent.com

xn--3v0bw66b.com

comsystematrisk.win

on9.party

Extracted

Family

danabot

C2

92.204.160.54

2.56.213.179

45.153.186.47

93.115.21.29

185.45.193.50

193.34.166.247

rsa_pubkey.plain

Targets

    • Target

      JaffaCakes118_4abc4e174beea2d801bab1f52a202a1adcdc372443e25a2f1875b90f112ff56d

    • Size

      221.1MB

    • MD5

      0c1df79aedd19bad104f962cfa9495a2

    • SHA1

      62f9b3c0e8d3f29663c2bafde2602d7cda044fcc

    • SHA256

      4abc4e174beea2d801bab1f52a202a1adcdc372443e25a2f1875b90f112ff56d

    • SHA512

      b1f89e94914584186da5f6cd2755b35c134402f66f1c0d6dea22feafe84fe5b96f6e46460edce3c1c5a8ce0d0f766f6921b8c196e97172fcdbeeb0057b6f36db

    • SSDEEP

      3145728:rdm8ZSmWUMbGIngwOqslykYmO6PCtzCtFRU/mvL91UppmkSKmfLeUuO5jPOL0aj0:fSmhMbGqylyzs/imvL91UYLfLd1PHp

    Score
    1/10
    • Target

      08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d.exe

    • Size

      144KB

    • MD5

      9e9bb42a965b89a9dce86c8b36b24799

    • SHA1

      e2d1161ac7fa3420648ba59f7a5315ed0acb04c2

    • SHA256

      08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d

    • SHA512

      e5ba20e364c96260c821bc61eab51906e2075aa0d3755ef25aabfc8f6f9545452930be42d978d96e3a68e2b92120df4940b276c9872ebf36fa50913523c51ce8

    • SSDEEP

      3072:ep1qwbk6Wbh/UR++pz1OBrNtZtHpspurmxwPtnneZY:epoP6WV/C116rNbtHpsYrmSP1neZY

    • Zloader family

    • Zloader, Terdot, DELoader, ZeusSphinx

      Zloader is a malware strain that was initially discovered back in August 2015.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe

    • Size

      355KB

    • MD5

      b403152a9d1a6e02be9952ff3ea10214

    • SHA1

      74fc4148f9f2979a0ec88ffa613c2147c4d5e7e5

    • SHA256

      0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51

    • SHA512

      0ac24ef826ae66bbba8bd5de70cb491d765ae33659452da97605701b3a39a33933f9d2795af1e8a8615cc99ae755fccc61fc44737122067eb05d7b1c435a4ec8

    • SSDEEP

      6144:Fs3o0YvJiTQLmCUmLG0HhLjSKHkYp6dDERdBHMlU8LF:Fs3FmDL5P6YpaAt8LF

    Score
    3/10
    • Target

      0di3x.exe

    • Size

      111KB

    • MD5

      bd97f762750d0e38e38d5e8f7363f66a

    • SHA1

      9ae3d7053246289ff908758f9d60d79586f7fc9f

    • SHA256

      d4b767b57f453d599559532d7351feeecd4027b89b0b117552b7a3432ed4a158

    • SHA512

      d0f00c07563aab832b181a7ab93413a93f913f813c83d63c25f4473b7fa2003b4b2a83c97bd9766f9f45a7f2de9e922139a010612f21b15407c9f2bb58a53e39

    • SSDEEP

      1536:4SYTPSLUTRZaEioqsQRPRXplmbH50B+dLDOZrZRzKZvJj5RmLFs8hN:43OLUra1oqxvplQ50BrStJ9RmLFs

    • Target

      104.248.221.3/systemerror-ie-edge/_data_image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAIAAAACACAMA/xhBQAAAAFzUkdCAK7OHOkAAAAPUExURQAAAAICAgAAAP/5WVlXiCGdAAAAADdFJOUwD8ZX+n/7gAAABvSURBVHja7dbBAUAwEABB/ykAAAAAAAAAAAAAAAAAgNcF

    • Size

      178B

    • MD5

      7e2c427186d4e1bac52813383423e82e

    • SHA1

      bdede1efdd02eec3e5ee34eb555e44227d2bb2f1

    • SHA256

      887c8ada6058f01125a5131f1c495ba5f0171b2c40466ea824494403b87c1a22

    • SHA512

      09fa2c8d7d9a732abe7f118bfa20c1b7c47bec9b40e221366dae05bd01811f029d85544ff35b517e54faaf4b35a672e50e5fca232460fe3c0844132bdf0c818d

    Score
    3/10
    • Target

      104.248.221.3/systemerror-ie-edge/dsffddfdfdsawqwq22121sdsd.html

    • Size

      84B

    • MD5

      52bf3ccddb64ba07d5d6d79fdfba4765

    • SHA1

      f369871f7f1efa470a92ebb8ab98ad26b6754965

    • SHA256

      11359d75d1ccf8ead98ba93030fb3e9050157c154ac53255f9dda71f1465c3d7

    • SHA512

      56e5407cadabdf85fe16cb1fba51fffa92a8be23c2b8dcaa108a69cfb511318b2ec7f45c3782aeb49908d840a67ce62d4c18d3d1ffb7574f3edb73d355485939

    Score
    3/10
    • Target

      104.248.221.3/systemerror-ie-edge/img/blur.html

    • Size

      178B

    • MD5

      7e2c427186d4e1bac52813383423e82e

    • SHA1

      bdede1efdd02eec3e5ee34eb555e44227d2bb2f1

    • SHA256

      887c8ada6058f01125a5131f1c495ba5f0171b2c40466ea824494403b87c1a22

    • SHA512

      09fa2c8d7d9a732abe7f118bfa20c1b7c47bec9b40e221366dae05bd01811f029d85544ff35b517e54faaf4b35a672e50e5fca232460fe3c0844132bdf0c818d

    Score
    3/10
    • Target

      104.248.221.3/systemerror-ie-edge/img/headshot-bg.html

    • Size

      178B

    • MD5

      7e2c427186d4e1bac52813383423e82e

    • SHA1

      bdede1efdd02eec3e5ee34eb555e44227d2bb2f1

    • SHA256

      887c8ada6058f01125a5131f1c495ba5f0171b2c40466ea824494403b87c1a22

    • SHA512

      09fa2c8d7d9a732abe7f118bfa20c1b7c47bec9b40e221366dae05bd01811f029d85544ff35b517e54faaf4b35a672e50e5fca232460fe3c0844132bdf0c818d

    Score
    3/10
    • Target

      104.248.221.3/systemerror-ie-edge/indexe2c9.html

    • Size

      30KB

    • MD5

      c3d72f83e398064acdc21509226b47fa

    • SHA1

      df3afbd526151107acce3bae7d25f1cf33349b4c

    • SHA256

      e8da6f7472b2ce092fddf64bce7ea2960ed63ea92ba4dfbfa93bff5bf7913025

    • SHA512

      b77ea23c163d100fcaa4f3ef2020072793fc4605145c13c26302faad6baf4f27a3cb827340eef61b2c154b89ccabe5b8f773c1f34b9f39786fa6979271fffdcd

    • SSDEEP

      384:H+51uEhO56OIop2I8NKFWuS6F+TtObFhuw6F+TtOFE31+/VUxfh07oQNI7gW0M:e5fq+bz+oElsVUxfh07ocI7gg

    Score
    3/10
    • Target

      104.248.221.3/systemerror-ie-edge/js/main.js

    • Size

      2KB

    • MD5

      912734e981f454609fcde1c63a4467b3

    • SHA1

      6c475e786a6858804719d90c809fd5bffe317d2f

    • SHA256

      e8af3476f0800500930ac809b2316f11bdcdaeb88f7309f523e4d0c2e5f58db7

    • SHA512

      5471bfdda02cb56860d7a205b54b5fb96fc7f7ff1f781d5ded3f2b15e975d9796460e3c7f8e5bf02eeb8ec226996c95cbe6b11d20a1cec9b36496f7c9793e590

    Score
    3/10
    • Target

      11.html

    • Size

      7KB

    • MD5

      ad4a9397a513760d6b7b7c95949a0421

    • SHA1

      d6284164627c386d2a2a2577c4e94cd22ba9fcf7

    • SHA256

      31ee9a4d7bedce33c62b7bb5cca7551813ff7fd9c486293f749a58f4486f0300

    • SHA512

      d49b4ee6eee88e2d0f81ca03871cd38e482aa26dec4016359237b0a71b297721e068047abefe09f714ddb77f4b63fcca88de80cfc4f27c0d94faf26158bc2cb0

    • SSDEEP

      192:zzbRccMfnoFoj6FQjHRiO7hp/iL7z6/Jz0fuz55555555555555555555555555b:DRcNfZ/na7z6hz0fuz5555555555555V

    Score
    3/10
    • Target

      12.html

    • Size

      2KB

    • MD5

      3e1beb3a3cc648f798284e78e948cb0a

    • SHA1

      02c1f8d16a5667c3fce31354fe4a8a134bfc30b1

    • SHA256

      15d6940e18fbce99ff0b7509c09c32ada4760a5e3a5f64d8ad8b3b8c8f564fbb

    • SHA512

      dc0c5a5e9cf8e99c749c07fe7adcfbf20ab5db84e249861c4fad2577e0136d6dbabc5a7b96e8b99d0b86479c6a30a910857b7b7db39c884532eaccb08b9aabe2

    Score
    9/10
    • Renames multiple (252) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Drops file in System32 directory

    • Target

      4a30275f14f80c6e11d5a253d7d004eda98651010e0aa47f744cf4105d1676ab

    • Size

      524KB

    • MD5

      4aa199c19c28cd1d176b7f6ff59bd713

    • SHA1

      ec321c45f365ad178bbbef4f873578ffc52b6114

    • SHA256

      4a30275f14f80c6e11d5a253d7d004eda98651010e0aa47f744cf4105d1676ab

    • SHA512

      b764a3378677a4d7ceba3d57442b98028581c0c2841bdac287c5caced0f350638a2c1c0a6136873d29627420b208789873c0d5a5ad4d28e3f1e3758e3a12a6f5

    • SSDEEP

      3072:3izUDxPs3Wo9MuFaNJXzWPfdidHzaCiZv1DwWD3aw8Vnx/VJqX8IoxKOgl9aYz4h:SuyRLavQTjd8VzJSnyK1UYzSx

    • Zloader family

    • Zloader, Terdot, DELoader, ZeusSphinx

      Zloader is a malware strain that was initially discovered back in August 2015.

    • Target

      2019-09-02_22-41-10.exe

    • Size

      251KB

    • MD5

      924aa6c26f6f43e0893a40728eac3b32

    • SHA1

      baa9b4c895b09d315ed747b3bd087f4583aa84fc

    • SHA256

      30f9db1f5838abb6c1580fdfb7f5dcfd7c2ac8cfac50c2edd0c8415d66212c95

    • SHA512

      3cb6fd659aff46eaa62b0e647ccebeecb070ba0bb27e1cc037b33caf23c417e75f476e1c08e1b5f3b232c4640995ae5afa43bfd09252d318fe5eec0d18de830a

    • SSDEEP

      6144:2E5sHpScP2xeQhp4wGoqPKNDF50AsurB:PsHIiQv4gBNDFiTuF

    • Target

      2c01b007729230c415420ad641ad92eb.exe

    • Size

      1.3MB

    • MD5

      daef338f9c47d5394b7e1e60ce38d02d

    • SHA1

      c0a07e8c32528d29aae26aaecbf6a67ed95b8c8e

    • SHA256

      5d03fd083b626a5516194d5e94576349100c9c98ca7d6845642ed9579980ca58

    • SHA512

      d0f4050fc2c5f38ab598729fb6930c84bf779d47b5a8b4e860bc0e9ca8be454ad5dce001d8f88299d8a079eafd4c26efcdd2d196352acfe45e940cc107fcebf4

    • SSDEEP

      24576:W85y6Jwdt8jtWoJpXWHALGX+C1Co3aP8jvuC7g6zwm4m53Sb21SR:HXsSGuC/MIvuC5kFm53Sy1SR

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • Hawkeye family

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • Target

      31.exe

    • Size

      12.5MB

    • MD5

      af8e86c5d4198549f6375df9378f983c

    • SHA1

      7ab5ed449b891bd4899fba62d027a2cc26a05e6f

    • SHA256

      7570a7a6830ade05dcf862d5862f12f12445dbd3c0ad7433d90872849e11c267

    • SHA512

      137f5a281aa15802e300872fdf93b9ee014d2077c29d30e5a029664eb0991af2afbe1e5c53a9d7bff8f0508393a8b7641c5a97b4b0e0061befb79a93506c94e1

    • SSDEEP

      393216:oKzkshyIMtAcwzhQ/CceAocPwz3fwnjWKlDc8F6tB:BzkmSmzS/Be/cPquj7D36r

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Agenttesla family

    • Danabot

      Danabot is a modular banking Trojan that has been linked with other malware.

    • Danabot family

    • Danabot x86 payload

      Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

    • Dharma family

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook family

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

    • Gozi family

    • Qakbot family

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

    • Raccoon Stealer V1 payload

    • Raccoon family

    • AgentTesla payload

    • CryptOne packer

      Detects CryptOne packer defined in NCC blogpost.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Formbook payload

    • Looks for VirtualBox Guest Additions in registry

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

    • Renames multiple (62) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Blocklisted process makes network request

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

macromacro_on_action305419896main26.02.2020upxstealerxdsdddvictime25/03samaycryptonepacker09/0407/04insert-coinytsystemhackedhackmodiloaderzeppelincobaltstrikenjratrevengeratzloaderxred
Score
10/10

behavioral1

Score
1/10

behavioral2

Score
1/10

behavioral3

zloadermain26.02.2020botnetdiscoverypersistencetrojan
Score
10/10

behavioral4

zloaderbotnetdiscoverypersistencetrojan
Score
10/10

behavioral5

discovery
Score
3/10

behavioral6

discovery
Score
3/10

behavioral7

smokeloaderbackdoortrojan
Score
10/10

behavioral8

smokeloaderbackdoordiscoverytrojan
Score
10/10

behavioral9

discovery
Score
3/10

behavioral10

discovery
Score
3/10

behavioral11

discovery
Score
3/10

behavioral12

discovery
Score
3/10

behavioral13

discovery
Score
3/10

behavioral14

discovery
Score
3/10

behavioral15

discovery
Score
3/10

behavioral16

discovery
Score
3/10

behavioral17

discovery
Score
3/10

behavioral18

discovery
Score
3/10

behavioral19

execution
Score
3/10

behavioral20

execution
Score
3/10

behavioral21

discovery
Score
3/10

behavioral22

discovery
Score
3/10

behavioral23

discoveryransomware
Score
9/10

behavioral24

discovery
Score
3/10

behavioral25

zloadergoogleaktualizacijagoogleaktualizacija1botnetdiscoverytrojan
Score
10/10

behavioral26

zloadergoogleaktualizacijagoogleaktualizacija1botnetdiscoverytrojan
Score
10/10

behavioral27

smokeloaderbackdoordiscoverytrojan
Score
10/10

behavioral28

smokeloaderbackdoordiscoverytrojan
Score
10/10

behavioral29

hawkeyecollectiondiscoverykeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral30

discovery
Score
7/10

behavioral31

agentteslaformbookgoziqakbotraccoon86920224spx1291590734339w9zagilenetbankercryptonedefense_evasiondiscoveryexecutionimpactkeyloggerpackerransomwareratrezer0rm3spywarestealertrojan
Score
10/10

behavioral32

agenttesladanabotdharmaformbookgozi86920224appw9zagilenetbankerbotnetcryptonedefense_evasiondiscoveryevasionexecutionimpactkeyloggerpackerpersistenceransomwareratrezer0rm3spywarestealertrojan
Score
10/10